-
Title II - Privacy Rule
Provides regulations for using and disclosing protected health information (PHI).
- Requires providers to
- - inform clients of their privacy policies
- - grant clients access to their health information
- - obtain client authorization before sharing health information for nonroutine purposes
- - secure client records
- - inform business associates of privacy practices
- - train employees so that they understand privacy procedures
-
Title II - Security Rule
describes security safeguards for electronic protected health information (PHI). Describes administrative, physical, and technical security standards and implementation specifications that are designed to ensure the confidentiality of electronic protected health information (EPHI).
Administrative standards - procedures relevant to implementing security requirements (e.g., office policies and procedures)
Physical standards - addresses computers and other electronic information systems and the facilities in which confidential information is electronically stored; and the technical standards address methods for limiting access to EPHI (e.g., passwords and encryption software).
-
Title II - Transaction and code sets rule
requires providers who transmit certain transactions electronically to use the same electronic format, code sets, and identifiers.
The primary purpose of the transaction and code sets rule is to “achieve a higher quality of care and reduce administrative costs by streamlining the processing of routine administrative and financial transactions”
It requires covered entities and their business associates who conduct certain business transactions electronically to use the same electronic format, code sets, and identifiers. As defined in this rule, “transactions” refer to the electronic exchange of client-identifiable health information for the purpose of carrying out financial or administrative activities, and “code sets” refer to “sets of codes used to communicate the diagnosis and procedure codes, data elements, and medical concepts used in electronic health care transactions”
-
Does state law preempt HIPPA?
Only when state law is more stringent than HIPPA
For example, California law is more stringent (and therefore preempts HIPAA requirements) with regard to the protection of information related to certain aspects of mental health treatment and to HIV/AIDS testing.
-
Who must comply with HIPPA regulations - Covered entities (CEs)
include health care providers, health plans, and healthcare clearinghouses (e.g., billing companies, community health information systems).
Therapists are included in health care providers, which refers to any person or entity that provides, bills for, and/or is paid for health care as a normal part of business.
-
What is Protected Health Information (PHI)?
- a type of individually identifiable health information that is maintained or transmitted in any medium and that provides information about
- - an individual's past, present, or future physical and mental health condition
- - the provisions of health care to the individual
- - past present, or future payment for health care provided to the individual
Information that does not identify, or cannot be used to identify, an individual is considered "de-identified" and is not covered by the same restrictions.
PHI does not include individually identifiable health information in educational records covered by the Family and Educational Rights and Privacy Act (FERPA) or in employment records maintained by a CE in its role as an employer.
-
The Privacy Rule - Privacy rule trigger
the privacy rule is triggered (must be implemented) when a provider transmits PHI electronically in connection with one or several transactions including health care claims, health care payment, health care plan payment, or enrollment or disenrollment in a health plan.
Once the privacy rule is triggered, it applies to all of the provider’s transactions, not just to those that are conducted electronically. APA recommends that all psychologists comply with HIPAA regulations, even if they do not transmit PHI electronically
-
The Privacy Rule - Psychotherapy notes
notes recorded in any medium by a mental health professional that document or analyze the contents of conversations during therapy.
Used only by the psychologist who wrote them and are not part of the documentation required to provide a client with health care treatment, to obtain payment for health care services, or to conduct health care operation.
Under HIPAA, clients do not have the right to review psychotherapy notes, but California law preempts the HIPAA regulation (California Office of HIPAA Implementation, 2005). Consequently, psychologists may, upon the request of a client, provide the client with a copy of the notes or a summary of them. Alternatively, psychologists may decline to provide a client with psychotherapy notes when they determine that “there is a substantial risk of significant adverse or detrimental consequences” to the client in viewing or receiving a copy of those notes
-
The Privacy Rule - Amendment of health information
- Clients have the right to request an amendment to their PHI if they believe it is incorrect. A provider may deny a client's request for an amendment if:
- - the information was not created by the provider, unless the person who created it is not available to make the amendment
- - the information is not part of the designated record set or is not available for inspection
- - the provider believes the information is accurate and complete.
The client must be provided with a timely, written explanation that describes the basis for the denial, the client’s right to file a statement of disagreement or have the request and denial notice included in future disclosures of the information, and the procedures for filing a complaint with the provider or the Department of Health and Human Services (DHHS).
-
The Privacy Rule - Authorization to disclose health information
Providers are required, in most circumstances, to obtain a signed written authorization from a client prior to disclosing individually identifiable PHI to a third party for reasons other than treatment, payment, or health care operations (TPO) and before releasing psychotherapy notes to a third party.
- The authorization must include
- - description of information and limitations on the information to be disclosed
- - name and function of the provider who may disclose
- - name and function of the person/entity who is authorized to use the information
- - expiration date of the authorization
- - statement informing the client of their right to receive a copy of the authorization and to revoke it.
it is not necessary to obtain a client’s authorization to release de-identified information or, in some circumstances, to release information included in a “limited data set” that contains only certain identifiers (e.g., city and state of residence, birth date and other relevant dates) or when disclosure of PHI or psychotherapy notes is necessary to avert a serious threat to the health or safety of the client or other person.
but best practice to always get authorization
-
The Privacy Rule - notice of privacy practices
HIPAA’s privacy rule requires psychologists to provide clients with a Notice of Privacy Practices (NPP) on or before the onset of treatment in a written form or via email if the client agrees to receive an electronic notice.
The NPP must also must also be posted in a prominent place in the psychologist’s office and on their professional website, and the psychologist must make a “good faith effort” to obtain the client’s written acknowledgement of receipt of the notice.
- Must include:
- - clear language
- - how the provider protects the information
- - when information may be disclosed without authorization
- - rights to amend information and revoking authorization
- - how to access health information
- - who to contact for additional information
- - procedures for filing a complaint
-
The Privacy Rule - Minimum necessary standard
requires psychologists to limit the disclosure of PHI to the minimum necessary to accomplish the purpose of the disclosure. It also identifies circumstances in which the minimum necessary requirement does not apply – for example, when disclosures to health care providers are made for the purpose of providing treatment to a client or are made with the client’s authorization.
-
The Privacy Rule - Business associates
A business associate (BA) is a person or organization other than a member of a psychologist’s staff who receives PHI in order to provide services to the psychologist or on the psychologist’s behalf (e.g., answering service, collection agency, lawyer, accountant, billing service, shredding service, transcribing agency). Psychologists must have a HIPAA contract with all BAs; and, when psychologists learn that a BA is violating the contract, they must take reasonable steps to correct the violation, terminate the contract, or report the violation to DHHS.
-
Practice Questions - It requires covered entities and their business associates who conduct certain business transactions electronically to use the same electronic format, code sets, and identifiers. As defined in this rule, “transactions” refer to the electronic exchange of client-identifiable health information for the purpose of carrying out financial or administrative activities, and “code sets” refer to “sets of codes used to communicate the diagnosis and procedure codes, data elements, and medical concepts used in electronic health care transactions”
1. Access may be denied when the psychologist believes that providing the information is reasonably likely to cause emotional distress for the client and the client is given the right to have the denial reviewed.
2. Access may be denied when the psychologist believes that providing the information is reasonably likely to endanger the physical safety of the client or other person and the client is given the right to have the denial reviewed.
3. Access may be denied when the psychologist believes that providing the information is reasonably likely to cause emotional distress for the client or endanger the physical safety of the client, and the psychologist determines whether the client may request that the denial be reviewed.
4. Access may be denied when the psychologist believes that doing so is in the best interest of the client, and the psychologist determines whether the client may request that the denial be reviewed.
HIPAA’s privacy rule generally provides clients with greater access to PHI than does California law and usually sets the standard for determining when access may be denied. The privacy rule states that a provider may deny a patient access to their medical records when access is reasonably likely to endanger the life or physical safety of the patient or another person. However, in this situation, the client has the right to have the denial reviewed by a health care professional who was not involved in the original decision to deny access. Therefore, answer 2 is correct
-
Practice Questions - Under HIPAA’s privacy rule, a health care provider may disclose PHI without the client’s authorization:
1. only when the disclosure meets the “minimum necessary” standard.
2. only when the information is needed to provide the client with emergency health care services.
3. when the information will be used for routine treatment, payment, and health care operations purposes.
4. when the provider has determined that it is in the client’s best interest to do so.
Note that this question is asking about the requirements of HIPAA’s privacy rule and not about other legal or ethical requirements. Therefore, answer 3 is the correct response because it most accurately describes HIPAA’s requirements with regard to authorization for disclosure of PHI.
|
|
